OpenVPN Speed problem on 1 Gbps link

This forum is for general conversation and user-user networking.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
khodorb
OpenVpn Newbie
Posts: 5
Joined: Thu Aug 18, 2022 5:48 pm

OpenVPN Speed problem on 1 Gbps link

Post by khodorb » Thu Aug 18, 2022 5:57 pm

[oconf=]HI ,
I am using OpenVPN on Netgate SG-4860 on our datacenter and i do have a symmetric WAN link for 1 Gbps speed,
when on lan i can test that speed on speedtest, but when connected remotely via openvpn i can only get 50 to 60 Mbps on speedtest.
i was wondering what could be wrong on my setup and what parameters i can change under my settings to increase the speed for VPN users.
is there is a limit on bandwidth that we can control under openVPN

i am on pfsense 2.4.5 version and i tested that also on version pfsense+ 22.05

This is my current configuration , i have removed the tls and dns section for privacy


<openvpn>
<openvpn-server>
<vpnid>1</vpnid>
<mode>server_tls_user</mode>
<authmode>Local Database</authmode>
<protocol>UDP4</protocol>
<dev_mode>tun</dev_mode>
<interface>wan</interface>
<ipaddr></ipaddr>
<local_port>1194</local_port>
<description><![CDATA[PAID OpenVPN server]]></description>
<custom_options></custom_options>
<tls></tls>
<tls_type>auth</tls_type>
<tlsauth_keydir>default</tlsauth_keydir>
<caref>59a47a78cfd5b</caref>
<crlref>59a47fec1401d</crlref>
<certref>59a5ca057de10</certref>
<dh_length>2048</dh_length>
<ecdh_curve>none</ecdh_curve>
<cert_depth>1</cert_depth>
<strictusercn>yes</strictusercn>
<crypto>AES-256-CBC</crypto>
<digest>SHA256</digest>
<engine>cryptodev</engine>
<tunnel_network>192.168.72.0/24</tunnel_network>
<tunnel_networkv6></tunnel_networkv6>
<remote_network></remote_network>
<remote_networkv6></remote_networkv6>
<gwredir>yes</gwredir>
<gwredir6></gwredir6>
<local_network></local_network>
<local_networkv6></local_networkv6>
<maxclients>100</maxclients>
<compression></compression>
<compression_push></compression_push>
<passtos></passtos>
<client2client>yes</client2client>
<dynamic_ip>yes</dynamic_ip>
<topology>subnet</topology>
<serverbridge_dhcp></serverbridge_dhcp>
<serverbridge_interface>none</serverbridge_interface>
<serverbridge_routegateway></serverbridge_routegateway>
<serverbridge_dhcp_start></serverbridge_dhcp_start>
<serverbridge_dhcp_end></serverbridge_dhcp_end>
<dns_domain>company.local</dns_domain>
<dns_server1></dns_server1>
<dns_server2></dns_server2>
<dns_server3></dns_server3>
<dns_server4></dns_server4>
<push_blockoutsidedns>yes</push_blockoutsidedns>
<username_as_common_name><![CDATA[enabled]]></username_as_common_name>
<exit_notify>none</exit_notify>
<sndrcvbuf></sndrcvbuf>
<push_register_dns>yes</push_register_dns>
<netbios_enable></netbios_enable>
<netbios_ntype>0</netbios_ntype>
<netbios_scope></netbios_scope>
<create_gw>both</create_gw>
<verbosity_level>4</verbosity_level>
<ncp-ciphers>AES-128-GCM,AES-256-CBC</ncp-ciphers>
<ncp_enable>enabled</ncp_enable>
<ping_method>keepalive</ping_method>
<keepalive_interval>10</keepalive_interval>
<keepalive_timeout>60</keepalive_timeout>
<ping_seconds>10</ping_seconds>
<ping_push></ping_push>
<ping_action>ping_restart</ping_action>
<ping_action_seconds>60</ping_action_seconds>
<ping_action_push></ping_action_push>
<inactive_seconds>60</inactive_seconds>
</openvpn-server>
</openvpn>

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN Speed problem on 1 Gbps link

Post by TinCanTech » Thu Aug 18, 2022 6:51 pm

The only known limits to Openvpn speed are the quality of the hardware you throw at it.

Openvpn can saturate a 10Gbps link, given enough oomph.

khodorb
OpenVpn Newbie
Posts: 5
Joined: Thu Aug 18, 2022 5:48 pm

Re: OpenVPN Speed problem on 1 Gbps link

Post by khodorb » Thu Aug 18, 2022 7:55 pm

Sorry i didn't get your point, i have tested 2 netgate devices :
SG-4860 and 6100 MAx with 1Gbps Wan speed , on the lan network i can reach the same speed, but when using openvpn client connection, the speed test shows a result of 50 to 60 Mbps, i have in total 50 users using openvpn and i have tested the speed when no one else is connected

User avatar
Pippin
Forum Team
Posts: 1200
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: OpenVPN Speed problem on 1 Gbps link

Post by Pippin » Thu Aug 18, 2022 11:45 pm

Hi,

On pfSense, what does

Code: Select all

kldstat
give on CLI?
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp

khodorb
OpenVpn Newbie
Posts: 5
Joined: Thu Aug 18, 2022 5:48 pm

Re: OpenVPN Speed problem on 1 Gbps link

Post by khodorb » Thu Aug 18, 2022 11:52 pm

Id Refs Address Size Name
1 10 0xffffffff80200000 3724440 kernel
2 1 0xffffffff83a21000 10d0 cpuctl.ko
3 1 0xffffffff83a23000 32e8 cryptodev.ko
4 1 0xffffffff83a27000 7038 aesni.ko

User avatar
Pippin
Forum Team
Posts: 1200
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: OpenVPN Speed problem on 1 Gbps link

Post by Pippin » Fri Aug 19, 2022 12:17 am

Code: Select all

3 1 0xffffffff83a23000 32e8 cryptodev.ko
It's a bad idea to load --engine in Openvpn.
Please disable hardware crypto for the server.

It's probably easier to do in CLI because then no restart needed:

Code: Select all

kldunload cryptodev.ko
and

Code: Select all

kldunload aesni.ko
OpenVPN uses OpenSSL for crypto tasks.
Using AES-NI via kernel cryptodev is almost always a bad idea because it is slower than just using the same AES-NI instructions in openssl userland ("same CPU opcodes, less jump-to-kernel-and-back")

Test again.
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp

khodorb
OpenVpn Newbie
Posts: 5
Joined: Thu Aug 18, 2022 5:48 pm

Re: OpenVPN Speed problem on 1 Gbps link

Post by khodorb » Fri Aug 19, 2022 12:47 am

to be honest i loaded those kernels an hour ago , so the performance was the same with and without encryption
when i wrote the topic the settings was this:
CPU Type Intel(R) Atom(TM) CPU C2558 @ 2.40GHz
Current: 1200 MHz, Max: 2400 MHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (inactive)

i have read this article and asking to enable crypto if your hardware support it:

https://docs.netgate.com/pfsense/en/lat ... celeration

CPU Type Intel(R) Atom(TM) CPU C2558 @ 2.40GHz
Current: 1200 MHz, Max: 2400 MHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (Active)

What is your recmmendation here, i am getting the same speed on both configuration

khodorb
OpenVpn Newbie
Posts: 5
Joined: Thu Aug 18, 2022 5:48 pm

Re: OpenVPN Speed problem on 1 Gbps link

Post by khodorb » Fri Aug 19, 2022 12:53 am

[2.4.5-RELEASE][root@pfsense]/root: kldunload cryptodev.ko

[2.4.5-RELEASE][root@pfsense]/root: kldstat
Id Refs Address Size Name
1 8 0xffffffff80200000 3724440 kernel
2 1 0xffffffff83a21000 10d0 cpuctl.ko
4 1 0xffffffff83a27000 7038 aesni.ko
5 1 0xffffffff83a2f000 c90 coretemp.ko
[2.4.5-RELEASE][root@pfsense]/root:
[2.4.5-RELEASE][root@pfsense]/root:
[2.4.5-RELEASE][root@pfsense]/root:
[2.4.5-RELEASE][root@pfsense]/root:
[2.4.5-RELEASE][root@pfsense]/root: /usr/bin/openssl engine -t -c
(rdrand) Intel RDRAND engine
[RAND]
[ available ]
(dynamic) Dynamic engine loading support
[ unavailable ]
[2.4.5-RELEASE][root@pfsense]/root:
[2.4.5-RELEASE][root@pfsense]/root:
[2.4.5-RELEASE][root@pfsense]/root: kldunload aesni.ko
[2.4.5-RELEASE][root@pfsense]/root: /usr/bin/openssl engine -t -c
(rdrand) Intel RDRAND engine
[RAND]
[ available ]
(dynamic) Dynamic engine loading support
[ unavailable ]
[2.4.5-RELEASE][root@pfsense]/root:
[2.4.5-RELEASE][root@pfsense]/root:
[2.4.5-RELEASE][root@pfsense]/root:

########### After unloading the modules ########################

[2.4.5-RELEASE][root@pfsense]/root: openssl speed -evp aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 19437386 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 64 size blocks: 7511765 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 2274301 aes-128-cbc's in 3.02s
Doing aes-128-cbc for 3s on 1024 size blocks: 596823 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 78900 aes-128-cbc's in 3.13s
OpenSSL 1.0.2u-freebsd 20 Dec 2019
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-cbc 103396.80k 160250.99k 193068.12k 203715.58k 206831.62k
[2.4.5-RELEASE][root@pfsense]/root:
[2.4.5-RELEASE][root@pfsense]/root:
[2.4.5-RELEASE][root@pfsense]/root: openssl speed -evp aes-128-gcm
Doing aes-128-gcm for 3s on 16 size blocks: 10964746 aes-128-gcm's in 2.99s
Doing aes-128-gcm for 3s on 64 size blocks: 5336145 aes-128-gcm's in 3.01s
Doing aes-128-gcm for 3s on 256 size blocks: 1868933 aes-128-gcm's in 3.02s
Doing aes-128-gcm for 3s on 1024 size blocks: 521176 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 8192 size blocks: 67189 aes-128-gcm's in 3.00s
OpenSSL 1.0.2u-freebsd 20 Dec 2019
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-gcm 58631.33k 113542.08k 158655.95k 177894.74k 183470.76k
[2.4.5-RELEASE][root@pfsense]/root:
[2.4.5-RELEASE][root@pfsense]/root:

################## After Reloading Modules #########################

[2.4.5-RELEASE][root@pfsense]/root: /usr/bin/openssl engine -t -c
(cryptodev) BSD cryptodev engine
[RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC]
[ available ]
(rdrand) Intel RDRAND engine
[RAND]
[ available ]
(dynamic) Dynamic engine loading support
[ unavailable ]
[2.4.5-RELEASE][root@pfsense]/root:
[2.4.5-RELEASE][root@pfsense]/root:
[2.4.5-RELEASE][root@pfsense]/root:
[2.4.5-RELEASE][root@pfsense]/root: kldstat
Id Refs Address Size Name
1 12 0xffffffff80200000 3724440 kernel
2 1 0xffffffff83a21000 10d0 cpuctl.ko
5 1 0xffffffff83a2f000 c90 coretemp.ko
6 1 0xffffffff83a23000 7038 aesni.ko
7 1 0xffffffff83a2b000 32e8 cryptodev.ko
[2.4.5-RELEASE][root@pfsense]/root:
[2.4.5-RELEASE][root@pfsense]/root:
[2.4.5-RELEASE][root@pfsense]/root:
[2.4.5-RELEASE][root@pfsense]/root: openssl speed -evp aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 318269 aes-128-cbc's in 0.52s
Doing aes-128-cbc for 3s on 64 size blocks: 307693 aes-128-cbc's in 0.48s
Doing aes-128-cbc for 3s on 256 size blocks: 272028 aes-128-cbc's in 0.48s
Doing aes-128-cbc for 3s on 1024 size blocks: 187180 aes-128-cbc's in 0.39s
Doing aes-128-cbc for 3s on 8192 size blocks: 47687 aes-128-cbc's in 0.05s
OpenSSL 1.0.2u-freebsd 20 Dec 2019
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-cbc 9875.98k 41321.66k 146128.09k 490681.14k 8333907.29k
[2.4.5-RELEASE][root@pfsense]/root: openssl speed -evp aes-128-gcm
Doing aes-128-gcm for 3s on 16 size blocks: 10987038 aes-128-gcm's in 3.01s
Doing aes-128-gcm for 3s on 64 size blocks: 5323839 aes-128-gcm's in 2.99s
Doing aes-128-gcm for 3s on 256 size blocks: 1882455 aes-128-gcm's in 3.04s
Doing aes-128-gcm for 3s on 1024 size blocks: 525094 aes-128-gcm's in 3.02s
Doing aes-128-gcm for 3s on 8192 size blocks: 67508 aes-128-gcm's in 3.00s
OpenSSL 1.0.2u-freebsd 20 Dec 2019
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-gcm 58445.33k 113871.77k 158571.43k 177842.69k 184341.85k


i seems openssl is faster with AES-128-cbc when hardware cryoto is enabled AES-ENI

Correct me if i am wrong

Post Reply